A New Cybersecurity Research Agenda (In Three Minutes or Less)

Editor’s Note: As the CISO of In-Q-Tel, the CIA-backed strategic investment firm focused on developing technologies for the intelligence community, Dan Geer gets paid to help find the answers to big questions about computer security, national security, privacy and technology. Headlines proliferate about sophisticated cyber attacks, the looming specter of cyber warfare and ongoing espionage by nations like China and Russia. That means Dan’s job gets more important with each passing day. So what’s on Dan Geer’s mind these days? We asked him what questions he was mulling and, as usual, the answers we got back were both eye-opening and provocative. Here, in Monday morning ‘shot of espresso’ format (and with as little editing as possible) is our three minute speed date with Dan’s brain.

The challenge: In three minutes, give the research agenda in cybersecurity.

We would need a lot less research if we put into practice what we already know. But we don’t. Ergo, why we don’t put into practice what we already know is itself a research-grade topic.

We humans can build structures more complex than we can then operate. (The financial industry has just proven this by example.) Cyberspace is on track to prove the same thing to us all over again, which leads to the research question: Are humans in the loop a failsafe or a liability? Is fully automated security to be desired or to be feared? Is there a simple metric that differentiates the desirable from the frightening?

Security is not composable. However, in cyberspace, everything critical is a melange. Gilbert and Lynch’s proof of Brewer’s theorem finds that in a distributed system it is Consistency, Availability, and Partition Tolerance, choose any two. That tells me there is a research grade result for cybersecurity that will be found to be parallel.

In the 1990s, the commercial world pulled even with the military world in the application of cryptography. It is now doing the same with traffic analysis (heretofore the strategic redoubt of the intelligence community). While the intelligence community has had the pre-eminent sensor fabric, integrated messaging coupled to geo-location technology is the stuff of hegemony. This is a fact which is not lost on Russia, is not lost on China, and one hopes is not lost on Google. Is resistance to traffic analysis a research grade question, or is it merely wishful thinking?

The security implications of the conversion to IPv6 are poorly understood. The security impact of the move to IPv6 will be felt one step beyond the IPv6 address, at the interface between an impossibly large Internet address space and a nearly infinite, but intermittently tethered Internet-of-things. IPv6’s simultaneous multi-homing and address-hopping along with consumer-grade multi-channel routers mean network discovery as a cybersecurity tool is dead. As a research topic, what replaces network discovery as a management tool, or is consumerization the end of bothering to try?

All security technologies are dual use. Does anyone want to prove otherwise?

For cybersecurity, solving known problems is not research. Figuring out what the problems will be — that’s research. You have three minutes.